ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Api Gateway

v1.0.0

Gateway universal para APIs. Conecta cualquier API REST/GraphQL con configuración simple. Gestiona autenticación, rate limiting y caching.

0· 827·0 current·0 all-time
byMiguel Guerra@miguelguerra200022-sudo
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (universal API gateway with auth, rate limiting, caching) matches the instructions and examples. The SKILL.md shows appropriate features (endpoints, auth types, caching, rate limiting), so the claimed capability is generally coherent with the described functionality.
Instruction Scope
Instructions focus on configuring APIs via YAML and calling external endpoints (api add, api call, api get/post, logs, stats). They reference reading config files (e.g., apis/weather.yaml) and environment variable substitution (${WEATHER_API_KEY}). The instructions do not explicitly tell the agent to read unrelated system files, but they implicitly require access to user-provided config files and environment variables that are not declared in the skill metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself. That is the lowest-risk install mechanism.
!
Credentials
SKILL.md references multiple service credentials (WEATHER_API_KEY, GITHUB_TOKEN, SLACK_TOKEN, NOTION_API_KEY, DISCORD_TOKEN) and uses environment variable substitution in examples, but the skill's registry metadata declares no required env vars or primary credential. This mismatch is disproportionate and unclear: the skill implies it will need secret tokens for various third-party APIs but does not state how they will be provided, scoped, or stored.
Persistence & Privilege
The skill is not marked always:true, has no install step requesting persistent system changes, and does not request config paths or modify other skills. Autonomous invocation is allowed (default), which is normal, but this combined with the credential ambiguity increases risk.
What to consider before installing
This skill appears to be a documentation-only API gateway configuration guide, which is fine in principle, but it references many API tokens and YAML config files without declaring how those secrets are supplied or protected. Before installing or enabling this skill: (1) ask the publisher where config files and credentials are stored and who can access them; (2) require explicit, minimal environment variables only for the APIs you actually use (avoid placing broad tokens in a shared env); (3) run it in a restricted/sandboxed agent context if agents will call external APIs autonomously; and (4) verify logging and 'api logs' behavior so sensitive responses or tokens are not written to an unprotected log. If the publisher cannot explain where credentials are kept and how they are scoped, treat the skill as higher risk.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔌 Clawdis
latestvk97527eyaejvxxpzs6xw4hsq598207f7
827downloads
0stars
1versions
Updated 5h ago
v1.0.0
MIT-0
Miguel Guerra@miguelguerra200022-sudo
latest
Download

API Gateway Universal

Conecta el bot a cualquier API externa con configuración mínima. Un solo lugar para gestionar todas tus integraciones.

Concepto

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│    Bot      │ ──► │  API        │ ──► │  APIs       │
│  (Comando)  │     │  Gateway    │     │  Externas   │
└─────────────┘     └─────────────┘     └─────────────┘
                           │
                    ┌──────┴──────┐
                    │ • Auth      │
                    │ • Cache     │
                    │ • Rate Limit│
                    │ • Retry     │
                    └─────────────┘

Comandos

Configurar APIs

# Agregar nueva API
api add weather
  --base:https://api.openweathermap.org/data/2.5
  --auth:query:appid:$WEATHER_API_KEY

# Agregar endpoint
api endpoint weather current
  --path:/weather
  --params:q,units

# Listar APIs configuradas
api list

Llamar APIs

# Llamar endpoint
api call weather current --q:"Mexico City" --units:metric

# Llamada directa con URL
api get https://api.example.com/data

# POST con body
api post https://api.example.com/create --body:'{"name":"test"}'

Gestión

# Ver estadísticas
api stats weather

# Ver logs
api logs --last:10

# Probar conexión
api test weather

Ejemplo: Configurar API del Clima

# apis/weather.yaml
name: weather
base_url: https://api.openweathermap.org/data/2.5
auth:
  type: query
  param: appid
  value: ${WEATHER_API_KEY}
  
endpoints:
  current:
    path: /weather
    method: GET
    params:
      - q: string  # ciudad
      - units: metric|imperial
    cache: 10m
    
  forecast:
    path: /forecast
    method: GET
    params:
      - q: string
      - cnt: number  # días

Uso después de configurar

Usuario: clima en "Ciudad de México"

Bot: 🌤️ Clima actual en Ciudad de México:
     
     🌡️ Temperatura: 22°C
     💧 Humedad: 45%
     💨 Viento: 12 km/h
     🌅 Sensación térmica: 24°C

Tipos de Autenticación

TipoEjemplo
API Key (Header)Authorization: Bearer xxx
API Key (Query)?api_key=xxx
Basic Authusername:password
OAuth 2.0Token refresh automático
CustomHeaders personalizados

Funcionalidades

Caching

endpoints:
  data:
    cache: 15m  # Cache de 15 minutos

Rate Limiting

rate_limit:
  requests: 100
  period: 1h

Retry Automático

retry:
  attempts: 3
  backoff: exponential

APIs Pre-configuradas

APIConfiguración
OpenWeatherWEATHER_API_KEY
GitHubGITHUB_TOKEN
SlackSLACK_TOKEN
NotionNOTION_API_KEY
DiscordDISCORD_TOKEN

Integración

  • proactive-triggers: Llamar APIs en automatizaciones
  • daily-digest: Obtener datos de múltiples APIs
  • multi-agent: Los agentes pueden usar APIs configuradas

Comments

Loading comments...